WSO2 Identity Server 5.1.0 will be released soon and with that hope to get more OpenID Connect compliance feature than previous WSO2 Identity Server releases. ID Token is the key factor of OpenID Connect core specification [1]. Previous releases of WSO2 Identity Server up to IS 5.0.0 did not provide signed ID Token and which is bit hard to manage in production environment. With Identity Server 5.1.0 release we are going to provide signed ID Token to address some security vulnerabilities in production environment.
Unsigned ID token contains only 2 portions separated by "."
<header>.<body>
Sample
eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhbGljZSIsImlzcyI6Imh0dHBzOlwvXC9jMmlkLmNvbSIsImlhdCI6MTQxNjE1ODU0MX0
Signed ID token contains 3 portions separated by "."
<header>.<body>.<signature>
Sample
eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhbGljZSIsImlzcyI6Imh0dHBzOlwvXC9jMmlkLmNvbSIsImlhdCI6MTQxNjE1ODU0MX0.iTf0eDBF-6-OlJwBNxCK3nqTUjwC71-KpqXVr21tlIQq4_ncoPODQxuxfzIEwl3Ko_Mkt030zJs-d36J4UCxVSU21hlMOscNbuVIgdnyWhVYzh_-v2SZGfye9GxAhKOWL-_xoZQCRF9fZ1j3dWleRqIcPBFHVeFseD_64PNemyg
If you want to see exact json values, you can do Base64 decode for <header>.<body>
This is a simple java program to validate ID token signature against default wso2carbon.jks public key in WSO2 products.
package org.sample;
import java.io.InputStream;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.interfaces.RSAPublicKey;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.SignedJWT;
public class ValidateRSASignature {
public static void main(String[] args) throws Exception {
RSAPublicKey publicKey = null;
InputStream file = ClassLoader
.getSystemResourceAsStream("wso2carbon.jks");
KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
keystore.load(file, "wso2carbon".toCharArray());
String alias = "wso2carbon";
// Get certificate of public key
Certificate cert = keystore.getCertificate(alias);
// Get public key
publicKey = (RSAPublicKey) cert.getPublicKey();
// Enter JWT String here
String signedJWTAsString = "eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhbGljZSIsImlzcyI6Imh0d";
SignedJWT signedJWT = SignedJWT.parse(signedJWTAsString);
JWSVerifier verifier = new RSASSAVerifier(publicKey);
if (signedJWT.verify(verifier)) {
System.out.println("Signature is Valid");
} else {
System.out.println("Signature is NOT Valid");
}
}
}
Configuration to switch between signed and unsigned ID tokens
With default configurations ID token is always signed if you want to switch off ID token signing please following configurations in identity.xml
<AuthorizationContextTokenGeneration>
<Enabled>true</Enabled>
<SignatureAlgorithm>NONE</SignatureAlgorithm>
</AuthorizationContextTokenGeneration>
Please Note:
By default WSO2 products ship with wso2carbon.jks. In wso2carbon.jks key store password is "wso2carbon" and certificate alias also "wso2carbon". In production environment we recommend to change those values.
Complete sample source attached here with all readME instructions.
[1]http://openid.net/specs/openid-connect-core-1_0.html
[2]https://svn.wso2.com/wso2/interns/2013/gayan/org.sample.zip
Unsigned ID token contains only 2 portions separated by "."
<header>.<body>
Sample
eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhbGljZSIsImlzcyI6Imh0dHBzOlwvXC9jMmlkLmNvbSIsImlhdCI6MTQxNjE1ODU0MX0
Signed ID token contains 3 portions separated by "."
<header>.<body>.<signature>
Sample
eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhbGljZSIsImlzcyI6Imh0dHBzOlwvXC9jMmlkLmNvbSIsImlhdCI6MTQxNjE1ODU0MX0.iTf0eDBF-6-OlJwBNxCK3nqTUjwC71-KpqXVr21tlIQq4_ncoPODQxuxfzIEwl3Ko_Mkt030zJs-d36J4UCxVSU21hlMOscNbuVIgdnyWhVYzh_-v2SZGfye9GxAhKOWL-_xoZQCRF9fZ1j3dWleRqIcPBFHVeFseD_64PNemyg
If you want to see exact json values, you can do Base64 decode for <header>.<body>
This is a simple java program to validate ID token signature against default wso2carbon.jks public key in WSO2 products.
package org.sample;
import java.io.InputStream;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.interfaces.RSAPublicKey;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.SignedJWT;
public class ValidateRSASignature {
public static void main(String[] args) throws Exception {
RSAPublicKey publicKey = null;
InputStream file = ClassLoader
.getSystemResourceAsStream("wso2carbon.jks");
KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
keystore.load(file, "wso2carbon".toCharArray());
String alias = "wso2carbon";
// Get certificate of public key
Certificate cert = keystore.getCertificate(alias);
// Get public key
publicKey = (RSAPublicKey) cert.getPublicKey();
// Enter JWT String here
String signedJWTAsString = "eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhbGljZSIsImlzcyI6Imh0d";
SignedJWT signedJWT = SignedJWT.parse(signedJWTAsString);
JWSVerifier verifier = new RSASSAVerifier(publicKey);
if (signedJWT.verify(verifier)) {
System.out.println("Signature is Valid");
} else {
System.out.println("Signature is NOT Valid");
}
}
}
Configuration to switch between signed and unsigned ID tokens
With default configurations ID token is always signed if you want to switch off ID token signing please following configurations in identity.xml
<AuthorizationContextTokenGeneration>
<Enabled>true</Enabled>
<SignatureAlgorithm>NONE</SignatureAlgorithm>
</AuthorizationContextTokenGeneration>
Please Note:
By default WSO2 products ship with wso2carbon.jks. In wso2carbon.jks key store password is "wso2carbon" and certificate alias also "wso2carbon". In production environment we recommend to change those values.
Complete sample source attached here with all readME instructions.
[1]http://openid.net/specs/openid-connect-core-1_0.html
[2]https://svn.wso2.com/wso2/interns/2013/gayan/org.sample.zip
